1. Cyber Security and the National
Central Banks
CPEXPO Community Protection
Genova, October 30th 2013
Servizio Innovazione e sviluppo informatico
Divisione Architettura, infrastrutture e sicurezza
1
2. AGENDA
1. Introduction
2. The Cyber Threat from a National Central Bank
Perspective
3. The Cyber Crime Economy
4. Trend prediction
5. The Central Bank Response
6. Conclusion
Servizio Innovazione e sviluppo informatico
Divisione Architettura, infrastrutture e sicurezza
2
3. 1. INTRODUCTION
Changes in IT 1/2
• “Anytime, anywhere, any platform” access to systems
• Open source platforms adopted in order to improve
access to “best of breed” technology
• “Time-to-market”: pressure for new systems/applications
• Knowledge workers, big data e business intelligence
• Social media
Servizio Innovazione e sviluppo informatico
Divisione Architettura, infrastrutture e sicurezza
3
4. 1. INTRODUCTION
Challenges for central banks
• Increasing complexity in IT systems larger
attack surface
• IT systems integrating different business lines
interdependences increase
• External counterparties and service providers
involved in business processes appropriate trust
model
Servizio Innovazione e sviluppo informatico
Divisione Architettura, infrastrutture e sicurezza
4
5. 1. INTRODUCTION
Issues to be tackled by security experts 1/2
• Can the IT continue to meet the needs of the business
while maintaining an appropriate security level?
– Not only preventive countermeasures: reactive controls
• Are IT services and infrastructure protected from Cyber
Threat?
– The new threats must be assessed against Confidentiality,
Integrity and Availability criteria having in mind the
countermeasures in place
• Are the business line aware of the new Cyber Threat
risks?
– Mitigation of perceived risks only
Servizio Innovazione e sviluppo informatico
Divisione Architettura, infrastrutture e sicurezza
5
6. 1. INTRODUCTION
Issues to be tackled by security experts 2/2
• Is the trust model still valid?
– “Security control“ of counterparties and information services
• Are all information flows under control?
– “Control” of the unstructured flow (e.g. Social Media)
• Do we spend too much or too little for the security of the
information?
– Return on Security Investment (e.g. ROSI approach)
• What are the information I “do not know”?
– We must be aware that countering Cyber Crime requires effort
in gathering relevant information
Servizio Innovazione e sviluppo informatico
Divisione Architettura, infrastrutture e sicurezza
6
7. 2. THE CYBER THREAT FROM A NATIONAL CENTRAL
BANK PERSPECTIVE
The attackers
•
•
•
•
Who are the attackers?
What are their motivations?
What are their goals?
What methods do they use?
Servizio Innovazione e sviluppo informatico
Divisione Architettura, infrastrutture e sicurezza
7
8. 2. THE CYBER THREAT FROM A NATIONAL CENTRAL
BANK PERSPECTIVE
The motivations
Attackers
Motivations
1.
Hactivists
Anti-globalization, anti-capitalism
2.
Terrorists
Ideology, political change, power, money
3.
Politically motivated
Geo-political reasons, financial benefits
4.
Criminal
organizations
Money, retaliation
5.
Employees
Retaliation, personal gain, coercion
6.
Occasional Hackers
Reputation, curiosity
Servizio Innovazione e sviluppo informatico
Divisione Architettura, infrastrutture e sicurezza
8
9. 2. THE CYBER THREAT FROM A NATIONAL CENTRAL
BANK PERSPECTIVE
The goals and methods
Goal of the Cyber Attack Method of the Cyber Attack
1.
Web site defacement
Web applications attacks
2.
DoS / DDoS
Botnets
3.
Information theft
Advanced Persistent threats (APT), Malware, Hacking,
Social Engineering
4.
Information leakage
WikiLeaks, Social Media, Forum, Web Sites
5.
Sabotage
Disabling / Bypassing security systems
6.
Intrusion
Social Engineering, Malware, APT
7.
Fraud
Social Engineering, Hacking, Malware
8.
Corruption
Unreliable internal employees
9.
Other illegal activities
Abuse of resources
Servizio Innovazione e sviluppo informatico
Divisione Architettura, infrastrutture e sicurezza
9
10. 3. THE CYBER CRIME ECONOMY
• Cyber Crime: hidden economy in good health and little affected by
increased sensitivity to security:
– $ 114 billion direct costs (Symantec, 2011)
– $ 110 billion direct costs (Symantec, 2012)
• Human Resources (hackers for hire)
• Crime-as-a-service
– "eBay”-style procurement of Cyber Attack services (viruses, k-loggers, etc.)
– Electronic payments on the "BitCoin” model
– On-demand Cyber Attacks
• Goods
Ware
Malware (source code)
« Exploit pack » (es. ZEUS)
Malware installation
Zero day exploit
Servizio Innovazione e sviluppo informatico
Divisione Architettura, infrastrutture e sicurezza
price (USD)
$100 – $100,000
$150 – $2,200
$6 – $150 (1,000 installations)
$100,000 – $5,000,000
10
11. 4. TREND PREDICTION
• More data leakages
• More politically motivated operations
• More professional malware (also on mobile devices)
• More tailor-made exploit code and attacks
• Less time for all of us to react
Servizio Innovazione e sviluppo informatico
Divisione Architettura, infrastrutture e sicurezza
11
12. 5. THE CENTRAL BANK RESPONSE – 1/3
• Cyber Risk Governance
– The management of Cyber Risk has been included in the
operational risk management framework (ORM)
– Cyber Risks have been often included in the corporate risk
management framework (ERM)
– The governance of Cyber Risk has been changing in order to
speed up the processes of decision making and incident
management
• Risk Management
– A gap analysis is in progress regarding the systems potentially
vulnerable to an attack and the existing controls at business and IT
level
– The current trust model toward external counterparties is under
assessment
– Personnel involved in critical operations or dealing with sensitive
information is subject to specific screening
Servizio Innovazione e sviluppo informatico
Divisione Architettura, infrastrutture e sicurezza
12
13. 5. THE CENTRAL BANK RESPONSE – 2/3
• Business Continuity
– The procedures to assess the extent of damage caused by an
attack are speeded
– The opportunity is considered to carry on business operations even
with IT systems under attack
– Communication processes are defined to re-establish an
appropriate level of trust internally and with external counterparties
• Awareness
– Increase of Information Security training programs
– The Central Bank senior management and the risk Committees are
regularly informed about the risk situation
– Increase of testing in Cyber Attack response plans
Servizio Innovazione e sviluppo informatico
Divisione Architettura, infrastrutture e sicurezza
13
14. 5. THE CENTRAL BANK RESPONSE – 3/3
• Strengthening of security measures for critical
applications and systems
– Connections to un-trusted networks are limited
– Privileged access to applications, data, operations is
minimized
• Reference to best practices issued by international
organizations in the industry and / or government
– Adoption of Cyber Resilience models issued by WEF, ISF,
OECD is under evaluation
Servizio Innovazione e sviluppo informatico
Divisione Architettura, infrastrutture e sicurezza
14
15. 6. CONCLUSION
• The risk associated with Cyber Threat is not just an IT problem
responses should be coordinated with the other security teams
(physical security, business continuity)
• The attacks complexity increases detection is increasingly linked
to the recognition of abnormal behaviour
• Cyber Attacks will tend to target the weakest link in the chain (e.g.
social engineering)
• The identity management and authentication functions must be
strengthened
• Information sharing and collaboration of like-minded institutions are
becoming increasingly important
Servizio Innovazione e sviluppo informatico
Divisione Architettura, infrastrutture e sicurezza
15
16. Servizio Innovazione e sviluppo informatico
Divisione Architettura, infrastrutture e sicurezza
16